ISO 27001:2022 Transition Toolkit
The Transition to ISO 27001:2022
The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 is expected to be completed in three years, starting from the publication date of ISO/IEC 27001:2022, October 25, 2022. Therefore, the current 2013 version certificates need to be transitioned to the new version before October 31, 2025.
The transition audit can be carried out at any scheduled audit during the 3-year transition period but can also be performed as a special transition audit.
Organizations that are certified against ISO/IEC 27001:2013 can initiate the update of their ISMS based on ISO/IEC 27001:2022 at any time and the main workload is to implement the new controls of Annex A.
What You Need to Know
Transition Requirements
- All organizations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit or can be a stand-alone audit.
- If the transition audit is conducted in conjunction with an existing surveillance (i.e. transition surveillance) or recertification audit (i.e. transition re-assessment), additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO 27001:2022.
- If a stand-alone audit is carried out for the transition audit, the duration is calculated on an individual organization basis.
- The duration of the specific transition audit is between 0.5 to 1.5 audit day(s) and is dependent on the organization’s size and the complexity of the ISMS. Your ABS QE Client Representative will advise your specific transition audit duration.
Certificate Validity
Updated ISO 27001:2022 certificate issuance and validity will be as follows:
- Transition surveillance: The organization’s existing ‘Valid Until Date’ will be maintained.
- Transition re-assessment: A new ‘Valid Until Date’ will be issued for the renewed 3-year period.
- Stand-alone transition: The organization’s existing ‘Valid Until Date’ will be maintained.
How to Prepare for the Transition
Organizations can prepare for the transition by taking the following steps:
- Conduct a gap analysis to understand your existing system and determine the changes required to fulfill the requirements of the new edition of the standard.
- Assess the information security risks and determine the information security controls that should be implemented.
- Review and update the risk treatment plan and the Statement of Applicability.
- Review other ISMS documentation and the mapping with other frameworks or set of controls and update them as necessary.
- Plan and conduct role-based training regarding the new standard requirements, if necessary.
- Implement controls to meet new requirements.
- Conduct an internal audit to assess the ISMS compliance, as required by clause 9.2 of ISO/IEC 27001:2022.
- Start the migration/certification process. Certified companies may wish to pursue a more aggressive timeline for this to benefit from the heightened levels of security and privacy included in the new 27001 release.
Toolkit Resources
Explore more insights about the transition to ISO 27001:2022 and how to prepare now for the upcoming change.
Summary of Changes
Learn what has changed in the revised standard's structure in this summary of ISO 27001:2022.
Webinar: Everything You Need To Know About The ISO 27001:2022 Update
In this webinar, our team of expertes uncover the revised information security standard and the transition policies for currently certified organizations.
Frequently Asked Questions (FAQ)
Our ABS QE team, who are accredited experts in the field of management systems certification, address the transition process and what you need to know about complying with ISO 27001:2022 in our FAQ.
Correlation Matrices
This document gives correlation matrices from ISO 27001:2103 to ISO 27001:2022 and vice versa. The document can be used to highlight where the new and revised clauses are located.
ISO 27001:2022 Certification
Service Flyer
The flyer includes a summary of the benefits an organization gets when implementing the certification of ISO 27001:2022, a holistic approach that goes beyond IT, allowing people, technology and processes to benefit organization wide.